88 comments

[ 11.3 ms ] story [ 4058 ms ] thread
This is huge. It basically means that WADA confirms an attack by a Russian cyber espionage group. What's WADA you ask? I have no idea. Did I actually read the article? No.
This is insanity...and whats worse, is Russian state-media are trying to say they were doping...theres NO doping on those charts.
As far as leaks go I find it interesting.

We see that athletes are allowed to take some very strong and beneficial drugs and its not doping.

I had always pictured that "clean" athletes were not eating OxyContin or required vast amounts of asthma medication to make it through the day. (This last part if from a different disclosure).

I think an adjustment to the current regiment would be that each athlete disclose exactly what type of drugs they are consuming.

What is doping and what is not is not arbitrary but it certainly changes over time.

Maybe we could let athletes take (and disclose) anything they wanted. Then we could develop a handicapping system similar to balance of power in Motorsport. It'd allow for more dimensions of strategy. Would be interesting to see how that would play out.
Just like nearly any moral line, morals here are contingent. I think it is hardly necessary to point out the arbitrariness of which recreational drugs are illegal, with one of the most dangerous being legal and considered moral in moderation.

As far as sports drugs, I honestly don't care about it, not being someone who watches or participates in any of them. But I strongly suspect that we'll see the "ok"/"not ok" lines being drawn towards maximizing viewers, perhaps with a sop towards athlete-health down the list somewhere.

I also predict that conversations about doping will sometime soon indirectly put enough pressure on the US NFL to cause it serious problems about player brain injury. It is hard to worry about player health regarding drugs and ignore the people broken by other aspects of the games.

It seems Simone Biles, and the Williams sisters are taking performance enhancing drugs. But the athletes in question have an exemption from the doping agency.

More coverage over on the NYTimes: http://www.nytimes.com/2016/09/14/sports/simone-biles-serena...

Yes, they'd have gotten away with it too, on a technicality, if it wasn't for truth-loving hackers. A drug's a drug, a cheat's a cheat. Zero tolerance.
Same state media that claimed MH17 was shot down by the Ukrainian air force, so I'm not terribly surprised.
Recently I've become worried that almost all "leaks" are done by nations.
I think what's interesting is that a lot of the other recent leaks of user data were all from around 2012 or before.

What has leaked since 2012 that we won't know about until 2020?

I don't think it's necessary a problem that more current leaks are state sponsored.

Firstly, that's their job.

Secondly they're open about what they[1] are doing and are on a recruitment drive.

Thirdly, the more leaks that are obviously state-sponsored suggests sites are better protected against johnny hacker and his downloaded scripts.

[1] By "they" I mean the agencies who frequently pop up here with articles about how they're recruiting because of an ongoing cyber-war. (And yes, the word cyber is cringeworthy but it's the word used.)

Sadly, I conclude that devices connected to the Internet are irremediably insecure. Air-gap it or lose it, I guess.
Digital is dangerous. There's a reason why the Kremlin switched back to typewriters.
funny thing is that they had digital bugs in the 70s and 80s just for those digital typewriters. Mechanical hipsters rejoice!
The news stories from 2013 were amusing and compelling but all the articles reference an order of about a hundred typewriters. This implies an amazing level of productivity by Russian bureaucrats or that the typewriter order was not sufficient for their needs.
I can just imagine Richard Stallman tingling with pleasure reading comments like this (after pulling the html through his email server or whatever he does)
That is ultimately too pessimistic. Security is a gradient, and there's a lot you can do make yourself both a smaller target, and a harder target.

Compartmentalization is one of the strongest defense tools we have. For example, with the icloud leaks an attacker was able to gain access to all the data in a single strike. If it's true that Apple can no longer decrypt user's icloud data, an attacker now needs to hack people one-by-one. Hacking takes time and effort, and a one-by-one payoff may make it that hacking icloud is no longer worth the effort. Users are safer, even though they are still theoretically vulnerable.

A lot of people are stepping up to the plate to offer stronger security on digital systems. (Qubes, for example. Let's Encrypt, for example). If choose to take security seriously, hacking will become harder, the rewards will plummet, and the world will be safer.

helloworld's assessment is realistic when people's lives are on the line. That doesn't happen too often, but when it does, are you sure you'd trust a gradient?
Sure. Lives are on the line constantly @ gradient. Eg drive a car where a safety feature was omitted because it's uneconomical
> hacking will become harder, the rewards will plummet, and the world will be safer...

...security will become less of a concern, hacking will become easier, the rewards will rise, security will be taken more seriously...

Unless I am mistaken iCloud wasn't compromised.

There was an issue with allowing brute force attacks which was fixed. But all the publicised hacks were to do with individual accounts being compromised.

99% sure you're right. It was a mix of brute force and phishing iirc.
And social engineering.

I think in one case the "secret questions" used to reset accounts was actually asked during a media junket by a fake reporter.

In this case there wasn't even a real security vulnerability, just a spear-phishing attack. Organizations need to hold employees accountable for their own stupidity if they want to prevent this from happening. Any sane organization would fire an employee who gave a stranger keys to the office; falling for a phishing scam is the online equivalent of that.
(comment deleted)
> Any sane organization would fire an employee who gave a stranger keys to the office; falling for a phishing scam is the online equivalent of that.

No, they likely wouldn't fire someone unless they specifically had controls in place for that (eg. security clearance area). People "tailgate" at companies all the time.

http://www.pacifict.com/Story/

In addition, the "value" of these records shot up dramatically once Russia was banned. The security was not stepped up to match.

The real problem is the fact that managers DO request passwords, access control changes, etc. via email, and they do it more often than people get phished. So, people learn to give out information rather than protect it.

The security vulnerability is very real. Should this same treatment be applied to the people who write code? If a software vulnerability allows an attacker into the business should that developer be fired? What if it's a UI bug that causes the company to lose sales. Should they be on the hook?

I think a more constructive reaction would be to say that phishing training is important and should be implemented or revised. In addition technical solutions should be investigated. Perhaps some of the infallible people who never fall for phishing attacks can automate part of their brilliance for the mere mortals.

Why the hell US government, US media and pro-US organizations (ex. WADA) says that the Russian government was behind all hacking attacks in the last 6 month (maybe year or even more)? It sounds like a broken joke from 60s...

Yes, I'm Russian. Yes, I live in Russia. And Yes, I like my country.

Maybe because the evidence both online and offline implicates them? Lest we forget the events of Sochi.

http://m.bbc.com/sport/36823453

Yeah, but think about this points: a) this report is based on words of the man, that run away from Russia after the Prosecutor's office started an investigation about his actions on RUSADA president position. Charges against him includes selling a restricted drugs. His sister was sent to prison for selling a restricted drugs several year ago, but the investigators wasn't able to find "her dealer". b) this report is done by Richard Mclaren, who was one of the first people, that started to talk about such awful events is the sport world. So he i not the correct person to investigate such situation. c) Richard Mclaren and WADA said that the have a solid proves of the accusations in Sochi report, but still they declined to show them anybody including Tomas Bah. I don't support any of conspiracy theories, but this one smells very-very bad. b) Will the judge of any US court accept similar case with no evidence? If yes, then probably there is no any kind of problems with law in Russia...
> Why the hell US government, US media and pro-US organizations (ex. WADA) says that the Russian government was behind all hacking attacks in the last 6 month (maybe year or even more)? It sounds like a broken joke from 60s...

You are likely on solid ground accusing the US government of using Russia as an excuse.

When you accuse WADA of being "pro-US"; however, you lose all your credibility.

Probably you should read a data, leaked from WADA about US sportsmen and the drugs they used before talking about my credibility.
Can you provide this data to enlighten the rest of us?
Not sure why the downvote, do we not ask for evidence anymore?
This whole thread is about the leak of that exact data
Hackers website: http://fancybear.net/.

There is documents, that WADA allowed Serena Williams to take oxycodone and hydromorphone (opioids), prednisone, prednisolone, and methylprednisolone. Her sister Venus Williams was allowed to take prednisone, prednisolone, triamcinolone and formoterol. This is very strong grungs, they should lay in hostpital if they need then for living (owning some of this drugs will cause a 14 years sentence in EU). There is also info about Simone Biles and Elena Delle Donne and they promise more :)

Вот с этого бы и начинал.

Эмоций надо поменьше, а то заклюют ни за понюх :)

There is a difference between doping amongst athletes and state sponsored doping regimes.
Because it serves their interest to say so, regardless if it's actually true. Russia is a welcome target and it's basically impossible to prove who's reponsible for a hack like this (the korean symbols in the Fancy Bear's website's [1] source code are cute though).

Also, that's how media works these days. One press release to Reuters, and all the newspapers publish the same "facts".

That being said, I think it's fairly plausible that some actor with relations to Russia would publish documents like these.

[1] http://fancybear.net

This is driving me crazy. No proves was provided of almost any (all?) claims against Russia in the last 2-3 years. They just continue saying: "It was Russian", "It was Putin" etc. But where is the proves? Give me then and I'll stop talking about this.

Several years ago I used to support eastern position in all situation in Russia. But after accusation against Russia with no proves started to appear I become quite disappointed in the US...

Here's a description of Russian state sponsored trolling. It's worth a read, even though it's long.

http://www.stratcomcoe.org/internet-trolling-hybrid-warfare-...

Especially page 60 onwards is useful.

Some of us do it for free [lulz] tho.

COngrats, u've been Russian-trolled :V

I can give you my contacts or meet you anyway in the world, so you can be sure, that I'm not a troll, that was payed by Russian government. Just pay me for tickets. I'm just a simple family man, who works as a programmer and in less the one year I will post my startup here, at Hacker News :)
That's not really true now is it. One of the most technically proficient hacks of recent times would have to be the Stuxnet attack, which is largely accepted to be the work of the US security services. this was widely covered in all media regardless of their affiliation with the US.

In addition many attacks have been attributed to China in the period you have mentioned.

It is incredibly likely that US based hackers have attacked both Russian and Chinese targets however both these governments would cover up these through control of state media to prevent what they would see as embarassment. Western media will report on hacks regardless of which government had done them if they were aware of the hack occuring.

No problems with liking your country but blindly believing everything put out by state controlled media does not have to be part of that.

How WADA can distinguish Russian group from any other? How anti-doping agency becomes proficient in cyber security?
Government & consultants.
What government and who are the "consultants" ?
You just want to argue, don't you. I don't have time for this.
That comment wasn't civil nor thoughtful as HN requires of each one of us that want to be part of this experiment. I hope next time you give us a piece of your mind it'll more representative of the best part of it.
There is an industry of reputable, large scale businesses that do attribution work. Generally, if you see attack attributions written up in major news outlets, one or more of them have concurred on the attribution.

For instance: the HRC/DNC attribution started with CrowdStrike (whose executive team is not exactly HRC-friendly), and concurrences were later released by some of CrowdStrike's competitors.

Attribution is obviously deeply imperfect. But it's not as simple as "this sure seems like Russian and there's some Cyrillic so let's call it a day".

So, what are the most common methods for this?
Extremely large scale instrumentation of endpoints and networks that unpack and fingerprint every transmitted executable across a decent sized fraction of the whole planet.

Attack tools are deployed cliquishly, and different groups have different tradecraft; they leave fingerprints.

This is fascinating stuff. I am going to ask more dumb questions :) I guess most of it is secret but still.

To do this kind of fingerprinting one needs to be able to inspect a large chunk of traffic of the whole Internet. I thought that was not really possible for private companies (except maybe a few).

How do you fingerprint malicious executables if the traffic is encrypted?

I suppose attempts to cover your tracks and to impersonate other groups are common. Are they feasible?

Companies like Crowdstrike instrument, in effect, the victims of these attacks. Think of them as a kind of antivirus software, with desktop installations across an enterprise, coupled with a C&C channel that funnels all the executables they find back to a central analysis system.

By the time something like Crowdstrike or FireEye is seeing an executable, it's already been decrypted.

It's totally possible to impersonate another hacking group, but you have to know a lot about their tradecraft to do so with any fidelity.

This particular APT is also not exactly subtle. Their attacks appear to be political maneuverings that the Russians want the American security establishment, which includes many reputable attribution analysts, to recognize as Russian activities.
Likely the Royal Canadian Mounted Police (Canada's Federal Police Force) given that WADA is based in Montreal.

The quote from the article:

"WADA has been informed by law enforcement authorities that these attacks are originating out of Russia,” he continued."

And even without that it was pretty obvious who the attackers were given the released data:

1) Focus on US athletes

2) Bear mentioned in name of hackers

3) Focus on sports doping (which Russia was recently found guilty of)

Now I know that many hacks and hackers will obfuscate the trail to them as much as possible but this is a fairly basic attack with little in the way of real impact as a result of the releases. It was obvious even to a non-security professional that the most likely culprits were russian nationalist hackers.

ThreatConnect, and FireEye, computer security companies, performed the attribution. I had never heard of ThreatConnect before today; FireEye is well-known for accurate analysis. It's attribution reputation is similar to that of Kaspersky Labs.
While it is an evolving situation, at present, we believe that access to ADAMS was obtained through spear phishing of email accounts; whereby, ADAMS passwords were obtained enabling access to ADAMS account information confined to the Rio 2016 Games.

It's amazing that people are still being phished successfully.

Why? It's the standard security imbalance. The attacker only has to be successful once while the defenders have to never make a mistake.
I disagree. The attacks are becoming more sophisticated and fool the most seasoned techies. Additionally, when I ask "Baby boomers" if they understand phishing, they oftentimes say yes but then have trouble explaining what it is or how it is executed.
Spear phishing is not your regular fishing. It is tailored to your expectations and preferences. If you really expect some important email, you can easily click the link without looking at it.
Maintaining the attitude that you are not susceptible to being phished is a great way to get phished.
> “This is just the tip of the iceberg,” a statement posted to the Fancy Bears site said. “Today’s sport is truly contaminated while the world is unaware of the large number of American doping athletes.”

What's up with hackers and their English grammar? Shouldn't it be doping American athletes? This reminds of the adjective-word-order rule and Tolkien's "green great dragons" story. [1]

[1] http://languagelog.ldc.upenn.edu/nll/?p=27890

I'll wager their English is better than your Russian.
> Let it be known that these criminal acts are greatly compromising the effort by the global anti-doping community to re-establish trust in Russia

Seems like they imply the Russian state is behind this but they don't explicitly say it, probably because they have no proof, as always. What trust do I have in WADA when they clearly have a bias against Russia?

The conclusion is not WADA's, so your distrust of WADA has very little to do with the story.
What do you mean? That statement was made by Olivier Niggli, Director General, WADA
They are not the organization that conducted the investigation.
You didn't get me. In this post they say the attack originated in Russia. I hope you don't think that automatically means the government did it. In any case, wada does not explicitly accuse the government. But still they give that condescending statement, as if Russia now has to become a country without criminals to win trust back. I think it is telling of their bias.
The extent of doping in Russia was far beyond anything seen elsewhere. So yes when you have a complete collapse in trust in a country they will have to earn their way back.
Please stop with this. You are repeating some argument that is not relevant in this discussion.
Again: WADA isn't the organization that determined the where the attack came from.
You would do well to read the article, specifically:

“WADA has been informed by law enforcement authorities that these attacks are originating out of Russia,”

A quick google search of Fancy Bears (the name the hackers have used on their release page) links them to APT28:

"APT28, as it's known by FireEye/Mandiant, is also called Tsar Team by iSIGHT Partners, Sednit by Eset, Fancy Bear by CrowdStrike, and Operation Pawn Storm by Trend Micro. This attack group goes after NATO, Eastern European government and military agencies, defense, and Russian adversaries, the report notes."

WADA didnt investigate, the investigation is done by competent security analysts, and whilst I am aware that anything is this sphere is possibly misinformation/propaganda from both sides, it would seem evident that after Russia were sanctioned for doping, then hackers release data on suspected US doping that there is an easy link to make. And there is very little to be gained by another adversary trying to make trouble between the US and Russia with such an attack.

You would do well to try to understand my comment better. Is there proof this hacker group is the Russian government? I don's hear any and even wada did not claim this. Therefore it is a criminal group from Russia. Why should Russia as a state be punished for its criminals? Is that how it works now?
Usually I trust Kaspersky to ID the correct Advanced Persistent Threat when it's Western and FireEye when it's non-Western, in this case APT28 a.k.a Fancy Bear.

APT28 is pretty obviously Russia, due to character encodings in the files, timestamps, etc. etc. etc. If I'm not mistaken, the attacks almost always also leak the location of a particular Russian government building. The technical evidence for their previous attacks is so extensive it seems they want to be caught.

They're who the Russian government sends when they want to make it obvious it was them to other governments, but don't want to start an open conflict.

WADA doesn't have a particular bias against Russia. It's undisputed that there was state supported and sanctioned doping regimes that athletes were full aware of.

If anything WADA and the IOC have been far too lenient with Russia given the extent of evidence.

Well Russia disputes it. But anyway, let's stay on the current topic
Has there ever been an attack attributed to Russia that they didn't dispute?
Has there been an increase in the number of large hacks originating from Russia in the last 12-24 months or is reporting just increasing?
Another question is why doping tests data paid by taxpayers of the World are not public? Why do we need for hackers (thanks a lot guys dependless on your nation, race, gender etc) to know the truth?
Lots of things are paid for with tax dollars that shouldn't be automatically public. Health care, school results - just because someone is an athlete doesn't mean they lose all right to privacy.
DO YOU KNOW YOU CAN HACK WESTERN UNION TO GET RICH HOW YOU CAN GET MTCN + ALL DETAILS

After we confirm payment, the waiting time is 1-2 hours then you get MTCN + all details for you to cash out. After your successful payment confirmation, You will receive the MTCN (10 numbers) + all details (sender name + country sender) for your cash-out money. You do get your MTCN immediately, whenever you want and anywhere that has Western Union. It is important to stay on standby during this time(1-2 hours) while your transaction is taking place

We have a 24hr support service for you via Email: davidtimmyhackprof@gmail.com

       PRICE       AMOUNT	           DETAILS
(Minimum)$250 $3000 MTCN + ALL INFO FOR CASH OUT $350 $6000 MTCN + ALL INFO FOR CASH OUT $500 $10,000 2 MTCN's of $5000 + ALL INFO FOR CASH OUT $700 $15000 2 MTCN'S of $7500 + ALL INFO FOR CASH OUT $800 $20,000 2 MTCN'S OF $9900, 1 MTCN of $200 + ALL INFO FOR CASH OUT $1500 $30,000 3 MTCN'S of $9900, 1 MTCN of $300 + ALL INFOFOR CASH OUT $2500 $45,000 4 MTCN'S of $9900, 1 MTCN of $5400 + ALL INFOFOR CASH OUT $3500 $60,000 6 MTCN'S of $9900, 1 MTCN of $600 + ALL INFOFOR CASH OUT $5500 $80,000 8 MTCN'S of $9900, 1 MTCN of $800 + ALL INFOFOR CASH OUT (Maximum)$8000 $100,000 10 MTCN'S of $9900, 1 MTCN of $1000 + ALL INFOFOR CASH OUT
DO YOU KNOW YOU CAN HACK WESTERN UNION TO GET RICH HOW YOU CAN GET MTCN + ALL DETAILS

After we confirm payment, the waiting time is 1-2 hours then you get MTCN + all details for you to cash out. After your successful payment confirmation, You will receive the MTCN (10 numbers) + all details (sender name + country sender) for your cash-out money. You do get your MTCN immediately, whenever you want and anywhere that has Western Union. It is important to stay on standby during this time(1-2 hours) while your transaction is taking place

We have a 24hr support service for you via Email: davidtimmyhackprof@gmail.com

       PRICE       AMOUNT	           DETAILS
(Minimum)$250 $3000 MTCN + ALL INFO FOR CASH OUT $350 $6000 MTCN + ALL INFO FOR CASH OUT $500 $10,000 2 MTCN's of $5000 + ALL INFO FOR CASH OUT $700 $15000 2 MTCN'S of $7500 + ALL INFO FOR CASH OUT $800 $20,000 2 MTCN'S OF $9900, 1 MTCN of $200 + ALL INFO FOR CASH OUT $1500 $30,000 3 MTCN'S of $9900, 1 MTCN of $300 + ALL INFOFOR CASH OUT $2500 $45,000 4 MTCN'S of $9900, 1 MTCN of $5400 + ALL INFOFOR CASH OUT $3500 $60,000 6 MTCN'S of $9900, 1 MTCN of $600 + ALL INFOFOR CASH OUT $5500 $80,000 8 MTCN'S of $9900, 1 MTCN of $800 + ALL INFOFOR CASH OUT (Maximum)$8000 $100,000 10 MTCN'S of $9900, 1 MTCN of $1000 + ALL INFOFOR CASH OUT